A Fast and Key-Efficient Reduction of Chosen-Ciphertext to Known-Plaintext Security

Ueli Maurer and Johan Sjödin

Motivated by the quest for reducing assumptions in security proofs in
cryptography, this paper is concerned with designing efficient
symmetric encryption and authentication schemes based on any
weak} pseudorandom function (PRF) which can be much more efficiently
implemented than PRFs. Damg{å}rd and Nielsen (CRYPTO '02) have
shown how to construct an efficient symmetric encryption scheme based
on any weak PRF that is provably secure against chosen- plaintext}
attacks. The main ingredient is a range-extension construction for
weak PRFs. By using well-known techniques, they also showed how their
scheme can be made secure against the stronger chosen- ciphertext}
attacks.

The results of our paper are three-fold. First, we give a
range-extension construction for weak PRFs that is optimal (within a
large and natural class of constructions, especially all constructions
that are known today). Second, we propose a strengthening of a weak
PRF to a PRF. Third, these two results imply a (for long messages)
much more efficient chosen-ciphertext secure encryption scheme than
the one proposed by Damg{å}rd and Nielsen. The results also solve
open questions posed by Naor and Reingold (CRYPTO '98) and by
Damg{å}rd and Nielsen.